The CIPP/E Body of Knowledge v1.3.3 (effective September 1, 2025) made two types of changes: a structural reorganization splitting the old three-domain structure into five — with no change to sub-topics or question weighting — and a genuine content addition covering EU AI Act and NIS2 intersection points, representing the IAPP's standard 10–15% annual refresh. If your study material still describes three domains, it is structurally outdated. If it omits EU AI Act and NIS2 content, it is substantively incomplete.
Every CIPP/E study guide published before September 2025 describes an exam with three domains. The current exam has five. Nothing about the actual tested content changed in that reorganization — but if you are studying from an older resource without realizing it, you will spend time confused about a structural discrepancy that does not reflect any real knowledge gap. That confusion is avoidable. Here is everything that changed, what it means for your preparation, and exactly how to calibrate your study time.
Two Types of Change: Structural vs Substantive
The BoK v1.3.3 update is best understood as two distinct categories of change happening in the same document:
Structural (No Content Impact)
- Domain count increased from 3 to 5
- Old Domain II split into three new domains (II, III, IV)
- Sub-topics unchanged — same content, regrouped
- Question weighting per sub-topic unchanged
- No topics removed, no topics added in this layer
- Impact on your preparation: zero, assuming current materials
Genuinely New Content (~10–15%)
- EU AI Act intersection points (Article 22, DPIA-FRIA interaction, training data lawful basis)
- NIS2 Directive cybersecurity overlap with GDPR security obligations
- Updated digital-regulation ecosystem context
- Impact on your preparation: real — requires targeted study
The distinction matters because these two categories require different responses. The domain reorganization requires you to do nothing except use current study materials. The new content requires you to actually learn new things — specific intersection topics that were not tested before September 2025. Most of the anxiety candidates express about "what changed" is directed at the structural change, which is harmless. The substantive change gets less attention and is the thing that actually needs work.
The Domain Reorganization: Before and After
- Domain I — Introduction to European Data Protection
- Domain II — European Data Protection Law and Regulation (GDPR A through K — the entire GDPR content in one block)
- Domain III — Compliance with European Data Protection Law and Regulation
- Domain I — Introduction to European Data Protection
- Domain II — European Data Protection Law and Regulation (core GDPR principles and lawful bases)
- Domain III — European Data Processing (split from old Domain II)
- Domain IV — European Data Protection: Scope and Accountability (international transfers — split from old Domain II)
- Domain V — Compliance with European Data Protection Law and Regulation
The IAPP has stated explicitly that the split is purely organizational: same sub-topics, same question allocation, just regrouped into a clearer structure. Candidates studying current five-domain materials are not facing a harder exam or more content — just a more precisely organized one. Candidates studying three-domain materials are not encountering wrong content, but they are using a structurally outdated map.
The 2026 CIPP/E Domain Structure in Full
| Domain | Name | Core Coverage | BoK Status |
|---|---|---|---|
| I | Introduction to European Data Protection | History and origins of European privacy law; ECHR Article 8; EU Charter of Fundamental Rights; regulatory landscape and supervisory authority structure | Unchanged |
| II | European Data Protection Law and Regulation | GDPR core principles (Articles 5–11); lawful bases for processing; special category data; automated decision-making (Article 22); new: AI Act intersection with Article 22 | + AI Act |
| III | European Data Processing | Controller and processor obligations; data subject rights (Articles 12–23); DPA and representative obligations; records of processing activities (Article 30) | Split from old II |
| IV | European Data Protection: Scope and Accountability | International data transfers (Chapter V); adequacy decisions; SCCs; binding corporate rules; BCR authorisation; new: AI training data transfer considerations | Split from old II + AI Act |
| V | Compliance with European Data Protection Law and Regulation | DPIAs (Article 35); Data Protection Officers; security obligations; breach notification; new: NIS2 overlap with GDPR breach notification and security; enforcement and supervisory authority powers | + NIS2 |
Domain structure per CIPP/E Body of Knowledge v1.3.3, effective September 1, 2025. Question weighting by sub-topic carried over unchanged from the previous three-domain structure.
The EU AI Act Content: What the CIPP/E Now Tests
The EU AI Act content added to BoK v1.3.3 is intersection-focused — the exam is not testing the AI Act wholesale. What it is testing is the specific points where GDPR analysis now needs to account for AI-specific context. A candidate who has studied only core GDPR and never engaged with the AI Act will encounter questions they cannot answer from GDPR knowledge alone.
| Topic | GDPR Hook | AI Act Intersection Tested |
|---|---|---|
| Article 22 — Automated Decision-Making | Right not to be subject to solely automated decisions with legal or significant effects | How AI Act prohibited practices and high-risk system obligations interact with existing Article 22 protections; whether an AI system's automated output triggers Article 22 scope |
| Lawful Basis for AI Training Data | Article 6 lawful basis; Article 9 special category basis for sensitive data | Which lawful basis applies when personal data is used to train AI models; compatibility analysis under Article 6(4) for purpose limitation; legitimate interests balancing for AI training |
| DPIA and FRIA Interaction | Article 35 Data Protection Impact Assessment | How a DPIA for a high-risk AI system interacts with the AI Act's own Fundamental Rights Impact Assessment (FRIA); what needs to be documented in each and where they overlap |
| High-Risk AI System Documentation | Article 30 Records of Processing Activities; Article 5 data minimisation | How Annex IV technical documentation obligations for high-risk AI systems relate to existing GDPR documentation requirements; data minimisation tension with model training data needs |
This is not a full AI governance curriculum. Candidates preparing for the CIPP/E do not need to understand how to design an AI governance program, run a red-teaming exercise, or implement an AI risk management framework — that depth belongs to the AIGP. See Does CIPP Cover AI Governance? What Privacy Pros Need to Know for where the line sits. What CIPP/E candidates do need is fluency at the intersection points in the table above — specifically, the ability to apply GDPR concepts correctly when the processing context involves an AI system.
The NIS2 Content: What the CIPP/E Now Tests
NIS2 additions appear in Domain V, specifically around cybersecurity obligations and breach notification. The examination angle is not NIS2 as a standalone framework — it is how NIS2 and GDPR interact for organizations subject to both.
The key intersection points tested:
- Incident reporting timelines: NIS2 requires significant incident notification to national authorities within 24 hours (early warning) and 72 hours (incident notification) — the same 72-hour window as GDPR breach notification to supervisory authorities, but NIS2's early-warning step creates an additional layer. Candidates should understand that both obligations may run simultaneously and that the NIS2 early warning does not replace the GDPR notification.
- Security obligation scope: GDPR Article 32 requires appropriate technical and organisational security measures. NIS2 imposes more specific minimum measures (multi-factor authentication, supply chain security, incident handling capabilities) on entities within its scope. Where both apply, the NIS2 minimum represents a floor that GDPR Article 32 proportionality analysis must at least meet.
- Supervisory authority coordination: Data protection and NIS2 supervisory authorities are different bodies (NDA vs DPA in most jurisdictions). Candidates should understand that an incident affecting personal data under an organization subject to NIS2 may trigger parallel notification obligations to different authorities under different legal frameworks.
The CIPP/E is testing NIS2 as an intersection topic with GDPR — not as a standalone certification in network and information security. Candidates do not need NIS2 implementation expertise. They need to understand where NIS2 creates parallel or overlapping obligations with GDPR, and how a privacy professional operating in an organization subject to both frameworks would navigate them. If a question presents a security incident scenario involving both personal data and systems in scope for NIS2, the candidate needs to recognize both frameworks are engaged — not provide a step-by-step NIS2 implementation plan.
The 10–15% Annual Update Rule: Why It Matters for Your Prep
The IAPP has applied a consistent policy across multiple certification cycles: annual BoK updates add no more than 10–15% genuinely new content. This is not a rough estimate — it is a deliberate design constraint the IAPP has stated explicitly and maintained across the CIPP/E, CIPM, CIPP/US, and AIGP update cycles.
What this means practically: if you have studied thoroughly from a resource one cycle behind current (i.e., the three-domain version), approximately 85–90% of what you learned is still directly applicable to the current exam. You do not need to restart preparation — you need to identify the specific new content slice and add it to what you already know.
The CIPP/E v1.3.3 genuinely new content slice is narrow and identifiable: EU AI Act intersection points (specifically Article 22, training data lawful basis, and DPIA-FRIA interaction) and NIS2 breach-notification and security-obligation overlap. That is the entire new content footprint. Everything else is structural reorganization with no knowledge impact.
Study Calibration: What to Do With This Information
How This Compares to Other IAPP BoK Updates
| Exam | Recent BoK Change | Type | Content Impact |
|---|---|---|---|
| CIPP/E v1.3.3 | 3 domains → 5; EU AI Act and NIS2 additions | Structural + modest content | Low — targeted new content slice only |
| AIGP BoK v2.1 | Expanded EU AI Act high-risk obligations; deeper NIST AI RMF; no structural change | Substantive content refresh | Medium — meaningful content shift in Domains II and III |
| CIPP/US (current) | State Privacy Laws domain substantially expanded; no structural change | Targeted content overhaul | High within State Privacy Laws domain specifically |
| CIPM (current) | Clarifying language; no structural or content change | Maintenance | Negligible |
Each IAPP exam's annual update cycle reflects what is moving fastest in its subject area. For CIPP/E this cycle, that meant formalizing AI Act and NIS2 intersection points within a clarified domain structure. For CIPP/US, it was the explosion of state privacy legislation. For AIGP, it was deepening EU AI Act and NIST AI RMF coverage to match the certification's growing operational depth. The pattern across all four is consistent: IAPP updates are additive and targeted, not overhauls requiring candidates to restart preparation.
How to Verify You Are Using Current Study Material
- Domain count check: Any material organized around three domains predates September 2025. It is the fastest sanity check. Five domains = current structure.
- EU AI Act content check: Look specifically for Article 22 interaction with AI systems and DPIA-FRIA relationship. Absence of these topics is the clearest signal a resource has not been updated for v1.3.3.
- NIS2 content check: Look for breach notification timeline comparison between GDPR and NIS2, and security obligation overlap. A resource covering only GDPR Article 32 without mentioning NIS2 context is incomplete for Domain V.
- Download the BoK directly from IAPP: The Body of Knowledge document is the authoritative source for what is tested. Third-party guides are useful for practice and explanation but the BoK itself is the definitive reference. The IAPP makes it available to registered candidates and IAPP members.
- Watch for the next annual update: Typically effective September 1 each year. The IAPP provides a minimum of 90 days advance notice before new content appears on live exams.
Frequently Asked Questions
How many domains does the CIPP/E exam have in 2026?
Five. The BoK v1.3.3, effective September 1, 2025, split the former three-domain structure into five by dividing the old Domain II (which contained all GDPR content in one block) into three separate domains. The underlying sub-topics and question weighting did not change.
What is genuinely new in the CIPP/E Body of Knowledge v1.3.3?
Two content additions representing approximately 10–15% of tested material: EU AI Act intersection points — specifically Article 22 automated decision-making, lawful basis for AI training data, and DPIA-FRIA interaction — and NIS2 Directive overlap with GDPR breach notification and security obligations. Everything else in the update is structural reorganization with no content change.
Does the CIPP/E now test the EU AI Act?
Yes, at intersection depth. The CIPP/E does not test AI governance program design or AI risk management frameworks — that belongs to the AIGP. What it does test is how GDPR obligations apply when the processing context involves an AI system: Article 22 scope, lawful basis for training data, and how DPIAs interact with the AI Act's FRIA requirement.
Is my existing CIPP/E study material still valid after the BoK v1.3.3 update?
Largely yes for content accuracy — the structural reorganization did not remove or change any sub-topics. However: any material describing three domains is structurally out of date (map old Domain II → new Domains II, III, IV), and any material that omits EU AI Act intersection points and NIS2 overlap is substantively incomplete. Those gaps need to be filled before exam day.
What is the passing score for the CIPP/E in 2026?
300 on a 100–500 scaled score range. This did not change with the BoK v1.3.3 update. The exam format also remains unchanged: 90 questions total (75 scored, 15 unscored field-test items), 2.5 hours. The full exam structure is covered in the CIPP/E exam guide.
When does the IAPP update the CIPP/E Body of Knowledge?
Annually, typically effective September 1. The IAPP provides a minimum of 90 days advance notice before changes take effect on live exams — meaning new content announced in June would not appear on exams before September 1.
How is the CIPP/E BoK update different from the AIGP BoK v2.1 update?
The CIPP/E v1.3.3 update was primarily structural (three domains → five) with targeted content additions (EU AI Act and NIS2 intersection). The AIGP BoK v2.1 update focused on substantive content refresh — expanded EU AI Act high-risk system obligations and deeper NIST AI RMF coverage — without structural reorganization. Both applied the IAPP's 10–15% new content ceiling.
If I hold the AIGP, do I still need to study the EU AI Act content for CIPP/E?
Yes, but your study burden is much lower than a candidate approaching it fresh. Your AIGP foundation covers the EU AI Act and AI system classification in depth. For CIPP/E, you need to focus specifically on the GDPR-angle intersection points — how GDPR obligations apply when the data subject is affected by an AI system — rather than the governance implementation layer you already know.
The CIPP/E BoK v1.3.3 made two kinds of changes that require two different responses. The domain reorganization — three to five — requires nothing except using current study materials. The genuine content additions — EU AI Act intersection points and NIS2 overlap with GDPR — require targeted study of specific topics that were not tested before September 2025.
If your material describes three domains, it is structurally outdated but content-accurate — map old Domain II to new Domains II, III, and IV and add the new intersection content. If your material describes five domains but omits EU AI Act and NIS2 content, it is structurally current but substantively incomplete — fill the gap before booking. If you already hold the AIGP, your AI Act foundation is strong; focus your CIPP/E prep on the GDPR-specific intersection points rather than repeating what you already know.
Related reading: CIPP/E Exam Guide 2026, AIGP BoK v2.1: What Changed, EU AI Act 2026 Deadline Timeline, and CIPP/E vs CIPM: Which to Take First.